I really enjoy computers - especially security. That's why I went to a school profiled as technical/IT. However, they teach crap. They don't know anything after the release of windows xp/2003. When one of our teachers told us about the dangers involved with a ping of death I gave up on trying to learn stuff from there. I've been trying to find fun stuff to learn about since then and I'm really having problems finding people who know more than me - even though i know there are a lot of them out there. I don't want to be a script kiddie.

I want to learn security from the black-hat perspective. Not to take down NASA, but to learn the potential entrances. My view on security is simply that if i know how to bypass security, I also know how to stop me, and others. I will not do any attack anything over the internet, no matter what you tell me. When it comes to lab/playground, I have a few computers, and i have no problems running virtual environments. I do schoolwork before the "fun stuff" though, just to let you know.

I know basic c/c++. I also know c#, and how to use linux bash and windows scripts. I've been messing around with my computers over the past 12 years now and I'm past the knowledge of my dad aswell as everyone i know of around my hometown.

I'm from Sweden, so I also speak Swedish - if that would matter. English works great, though.

If i have missed anything of interest, please ask. I do not have any money to give and I'm not trying to find a babysitter or a slave owner. I am simply trying to find someone smarter and better than me, willing to teach.

if you feel like you know alot, and don't want to be a "script kiddie", maybe try and write a fuzzer for something.. then develop an exploit for it. then rewrite your exploit for metasploit.. all the info is on the internet, maybe you just need someone to point you into right direction... so you came to the right place - you can find some ideas here, and continue on your own until you find a mentor.
–
pootzkoJul 27 '11 at 6:27

1

The reason you wouldn't be taught much since XP is that from a kernel prospective not much has changed in terms of security. DACLs and Tokens are still used everywhere. Some features like ASLR have been added, but they make writing an exploit no harder; they just make it harder to cause damage when an exploit has occurred.
–
Billy ONealJul 27 '11 at 15:32

pootzko that's where i'm going right now, and i think i need a little push in the right direction. @billy, i wasn't really talking about security there. My teachers view on security is like anything above 6char lowercase pw equals 120% secure system. It took me a few days to get my schools IT-security guys password.
–
Filip HaglundJul 27 '11 at 17:52

5 Answers
5

Computer security is a broad field and cover many interesting areas and subjects. Therefore it may be helpful for you, and others, if you clarified what it is about computer security that excites you. Having a clear purpose, and goal, can help immensely with your studies and learning, as it will keep you focused on what is truly important (for you!).

Once you have that it will likely be easier to request a mentor, as you can be more precise about what you seek and what qualities you'd like for your mentor to have.

Intelligently asked questions are never dumb, stupid or irrelevant and prepending your every thought with Why will ensure your constant curiosity, something that in my humble opinion is key to a successful computer security geek! :-)

I don't really have a specific thing I'm interested in. I have always been broad with my computer knowledge and I think I'll continue that way for a while longer. Whatever you want to teach me within the range of security is up to you - I'm open for anything :)
–
Filip HaglundJul 28 '11 at 10:25

The ambiguity of computer security could mean it refers to the hardware aspect, or to a software focus. Since I don't want to make any assumptions about your preference it's hard to suggest anything but my own personal interests. CPU-architecture is a fascinating subject, and learning about "CPU rings" is good as it will support further studies into operating system security. You could also choose to read about various access control models where for example Discretionary Access Control (DAC) underlies most modern operating systems. There is an abundance of things to study... I envy you!
–
ChristofferJul 28 '11 at 11:18

you're a good example of a good'nuff guy for this. You have something you're interested in, it's withing the range of security, and also you're swedish. Care for some time give-away?
–
Filip HaglundJul 28 '11 at 23:38

For sure, I would be happy to. My humble experience and knowledge is at your disposal.
–
ChristofferJul 29 '11 at 9:24

Whether you are a seasoned veteran researching your millionth exploit, a network guru
gone freelance consultant, or a CS grad looking for your big break, there's something for
everyone in the mentorship program. As a mentor, we are looking for participants in
the Information Security community with skills ranging from the highly technical to the
richly experienced. For mentees, bring your passion and energy.

You mention school work: what level of education are you at/how old are you now? Are you working in IT or still studying?

A mentor can be a tricky thing to find, as it is as much about you as it is them -- your compatibility and personalities. There are entire books written about finding mentors.

Typically a boss or senior colleague in the workforce will fill this role, depending on the person and the culture. This could also be a professor or university/college staff member who you respect. For me this has always been someone I've had direct face-to-face contact with, which I feel is important.

Whilst I do think a mentor is very valuable for personal development and growth, you can still achieve a great deal through self learning and participating in online forums/communities with like minded individuals (e.g. stackexchange). The Internet is filled with incredible IT/Info Sec people, doing incredible things.

You mention your lab, which is great. Have you explored tools like Metasploit and Burp? Playing with technologies in the penetration testing and exploitation space might be a good learning path for you.

Based on my assumptions of you, I think you should continue learning about what you're passionate about, and like-minded people and mentors will probably find you.

I'm currently 16 years old and I just finished the compulsory part of the swedish school. The problem I have is that there isn't anyone I know of who have more knowledge or will to learn than me. I've played around with Backtrack and metasploit, so yes. I've also done some proof-of-concepts towards people who have told me their network or homepage is secure, but only after a written permission. I've never heard of Burp though. Nessus, metasploit or burp - which one do you prefer?
–
Filip HaglundJul 27 '11 at 18:03

Until you reach Uni or join the IT workforce, you may need to make do with online contact through forums (stackexchange, mailing lists) and possibly social networking sites (twitter) to find like-minded individuals. Have you looked to see whether there are any user groups near you, e.g. Linux user groups? Even if they're not always strictly security focussed, you can learn a lot of valuable skills which you can apply your security brain to. Regarding the tools, they're all useful in different scenarios -- have a play with each and tell me which /you/ prefer. :)
–
lewAug 8 '11 at 3:10

At your level of education you should persue a professional education. This broadens your skills and improves chances for jobs in (applied) research or deployment of security infrastructures. The alternative would be to directly go into the market, but your experience is probably insufficient for freelancing. In that case you should try to get a job at a larger IT company. You can try to develop your skills on your spare time and use the job to keep you well fed. If you chose well, the regular job can also help you a lot to gain experience and discover interesting working areas. Nokia does some security research, for example, but they are not doing so well right now.. :-)

For the research option, there is a well-known Erasmus/Mundus program for studying IT security in Scandinavia, where you take lectures at the major universities[0]. It starts with the master, but maybe you find some BSc program when you look at the individual universities. You can do a standard computer science BSc, or, if you don't like too much theory and need IT security for motivation, there is also a BSc in IT security offered in Norway[1] and another one in Germany[2] (you need German for this one though, esp. for the basic math/electronics courses). CASED is probably the largest IT security research facility in Europe now and getting larger. The associated Technical University Darmstadt offers an MSc program in IT security[3].

PS: If one of the universities is not so far away, see if you are interested in some of the lectures. I'm not sure about the swedish system but I think you can attend for free. This will give you a head start when you do the actual program later on. You might even try to get hired as an assistant in one of their research labs. These people often need programmers for smaller projects and will give you more exiting tasks if you prove your reliability and skill.

I am in search for my next school. It doesn't really matter where in the world it is. The only thing i want is really good teachers.
–
Filip HaglundJul 28 '11 at 23:42

I suppose your first decision is industry or higher education. In any case, your current perspective is still very narrow and hands-on. It'll take some more time before you can tell a good teacher from a bad one, and you won't have much choice anyhow. Chose a good working environment or university program and then just hope for the best and do the rest on your own. You get more personal freedom in higher education but they will also bug you more with topics like math, electronics and info theory. As in school, you will only see recon their true worth much later..
–
pepeJul 28 '11 at 23:57

For additional education at home, I would recommend to chose individual topics and go really deep there. Vulnerability exploitation is certainly one interesting field and there are some good books and articles and also lots of code online. Or you buy some books about cryptographic protocols and implementation, look at standards and try fixing bugs or adding algorithms in some crypto libraries. Some people also find Web20 security interesting. Or maybe you're interested in OS design and rather want to checkout genode.org...
–
pepeJul 29 '11 at 0:04

when the teacher knows less than the part of the class that isn't spending 99% of their time on facebook it has to be bad. The only thing i really don't like about the schools I've looked at (KTH i.e.) start off with a few years of things I already know. I'm basically interested in everything securitywise. Cryptography is interesting though, but I don't want to read a few hundred pages about one algorithm. Web security is fun aswell - mostly because so many things are insecure. And thanks for the genode link!
–
Filip HaglundJul 29 '11 at 9:36

Employer: "We require MSc or 10 years industry experience." - You: "I did not study because I knew all this stuff already." Employer: "Then it should be easy to make the exams and we'll be happy to see you again next year." Also, there is more to learn that the actual content. People take MSc or PhD because they know that these people were able to complete projects and work under pressure. Also in areas they did not like.
–
pepeJul 29 '11 at 10:08

Teaching yourself some low level deconstruction will definitely help. The beautiful thing about Information Security is that since the field is so new, there are lots of domains to dabble in. IMO, it won't be too long before a generalist sorta disappears though.

All you need is a passion for wanting to know how things work, if you got that, then you're well on your way. It takes time. I'm not really certain HOW you want to go, but there are a lot of smart people out there, I would start reading up on some books and checking some blogs.

Write yourself a simple program in C and step through it in a debugger. Then do it again in assembly. Reversing Secrets ... I found as a good book to read up on it. Tons of info out there for this though.